HPE Community
Operating System - HP-UX
1833760 Members
2188 Online
110063 Solutions
New Discussion

knowing directory and file access

 
SOLVED
Go to solution
Shivkumar
Super Advisor

‎08-18-2005 07:30 PM

‎08-18-2005 07:30 PM

knowing directory and file access

Is there any command on hpux to find out which user has accessed a particular directory/files and when ?

Thanks,
Shiv
0 Kudos
Reply
13 REPLIES 13
Alex Lavrov.
Honored Contributor

‎08-18-2005 07:58 PM

‎08-18-2005 07:58 PM

Re: knowing directory and file access

AFAIK, there is not such function. But probably, there are third party products, that can trace these things.

The only thing you can know is when the file or directory were last modified with "ll" command.

Alex.
I don't give a damn for a man that can only spell a word one way. (M. Twain)
0 Kudos
Reply
Leif Halvarsson_2
Honored Contributor

‎08-18-2005 08:04 PM

‎08-18-2005 08:04 PM

Re: knowing directory and file access

Hi,
There is an audit funconality that can be turnrd on and monitor user activity but I am not sure if that is exact what you want.

You can find information with "man 5 audit".
0 Kudos
Reply
morganelan
Trusted Contributor

‎08-18-2005 08:14 PM

‎08-18-2005 08:14 PM

Re: knowing directory and file access

Try using lsof and please see this link:
http://www.cert.org/security-improvement/implementations/i042.05.html
Kamal Mirdad
0 Kudos
Reply
Bharat Katkar
Honored Contributor

‎08-18-2005 08:20 PM

‎08-18-2005 08:20 PM

Re: knowing directory and file access

Hi,
You can also use "last -R" to see what all users connected to system in past and then may be you can go thr' suspected users shell history i.e. .sh_history or .bash_history files in thier home directory.

Regards,

You need to know a lot to actually know how little you know
Reply
morganelan
Trusted Contributor

‎08-18-2005 08:23 PM

‎08-18-2005 08:23 PM

Re: knowing directory and file access

Hi Shiv,
Also see this interesting link below:
http://docs.hp.com/en/B2355-90121/ch01s05.html?btnNext=next%A0%BB
Kamal Mirdad
Reply
Mahesh Kumar Malik
Honored Contributor

‎08-20-2005 08:28 PM

‎08-20-2005 08:28 PM

Re: knowing directory and file access

Hi Shiv

#last -R can provide the subject information, but use of Auditinf feature in a trusted system environment is the best option

Regards
Mahesh
Reply
Ranjith_5
Honored Contributor

‎08-21-2005 04:36 AM

‎08-21-2005 04:36 AM

Re: knowing directory and file access

Hi Shiva,

for getting the information of system events use audisp command. Description as follows.

#audisp -u username -e eventname -t start time -s stop time

Supported events are admin, close, create,delete, ipcclose, ipccreat, ipcdgram, ipcopen,login,modaccess, moddac, open, process, readdac, removable,uevent1, uevent2, and uevent3

for example
#audisp -u robert -e delete -t 0101000005 -s 0130002205

the above would give you the delete operations performed by the user robert in between 2005 ,Jan-1 00:00am to Jan-30 10pm

For a better understanding about events see the man page of audevent.


Regards,
Syam
Reply
Shivkumar
Super Advisor

‎08-21-2005 08:03 AM

‎08-21-2005 08:03 AM

Re: knowing directory and file access

Syam;

Is there a command to find out whether auditing has been enanbled on a system ?

Thanks,
Shiv
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎08-21-2005 08:35 AM

‎08-21-2005 08:35 AM

Solution

Re: knowing directory and file access

Just type the command: audsys
It will report the current state.

It is easier to use SAM to setup auditing since there are so many choices for audited events. Note also that on a busy system, the auditing logfiles will grow very rapidly. Note also that the default location for the logfiles is /.sedure which is the root filesystem--a very bad location for logfiles. Change the default directory to something like /var/adm.

And note that you cannot restrict the logs to a specific set of users--all users will be logged. If what you are trying to accomplish is to find a user that is exceeding their authority or skill, start looking at the user's shell history file, .sh_history


Bill Hassell, sysadmin
Reply
Yogeeraj_1
Honored Contributor

‎08-21-2005 04:38 PM

‎08-21-2005 04:38 PM

Re: knowing directory and file access

hi,

if you dont' have it, you will get the following message:
# audsys
cannot open and lock /.secure/etc/audnames;
verify that the auditing system has been installed properly,
and the /.secure/etc directory exists, prior to running this command
#

btw, why would you be willing to know that?

kind regards
yogeeraj
No person was ever honoured for what he received. Honour has been the reward for what he gave (clavin coolidge)
Reply
Muthukumar_5
Honored Contributor

‎08-21-2005 05:26 PM

‎08-21-2005 05:26 PM

Re: knowing directory and file access

You can do this first requirement as,

--- /etc/profile --
export HISTFILE=/var/history/.sh_history.${USER}
export HISTSIZE=2000
set -o $EDITOR
echo "Login @ `date`" >> ${HISTFILE}

You can audit this file for file access.

Using auditing also, you can do it. To check audit enablment,

1. go to sam -> Auditing and security --> Audited user -->

It will prompt for a window which asks input to convert machine with auditing. Else it will not prompt.

hth.
Easy to suggest when don't know about the problem!
Reply
Ranjith_5
Honored Contributor

‎09-02-2005 04:13 PM

‎09-02-2005 04:13 PM

Re: knowing directory and file access

Hi Shiva,

Sorry to reply.

#audsys will give you the information.

eg:-
#audsys
auditing system is currently off
current file: /.secure/etc/audfile2
next file: none
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000 656 35 409600 362199 12
next file: none


Regards,
Syam
Reply
Ranjith_5
Honored Contributor

‎09-02-2005 04:14 PM

‎09-02-2005 04:14 PM

Re: knowing directory and file access

oops i ment sorry to reply late....bye tc
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.